A Web application firewall (WAF) is designed to protect Web applications against common attacks such as cross-site scripting and SQL injection. Whereas network firewalls defend the perimeter of the network, WAFs sit between the Web client and Web server, analyzing application-layer traffic for violations in the programmed security policy, says Michael Cobb, founder of Cobweb Applications, a security consultancy.

While some traditional firewalls provide a degree of application awareness, it's not with the granularity and specificity that WAFs provide, says Diana Kelley, founder of consultancy Security Curve. For instance, the WAF can detect whether an application is not behaving the way it was designed to, and it enables you to write specific rules to prevent that kind of attack from reoccurring.

WAFs also differ from intrusion prevention systems. "It's a very different technology—it's not signature-based, it's behavioral, and it protects against vulnerabilities you [inadvertently] create yourself," says Greg Young, an analyst at Gartner.

One of the primary drivers for WAFs today is the Payment Card Industry Data Security Standard (PCI DSS), which identifies two ways of being in compliance: WAFs and code review. (See Source Code Analysis Tools: How to Choose and Use Them.) But another driver is simply the growing recognition that attacks are moving from the network to applications. In a study by WhiteHat Security, which assessed 877 websites from January 2006 to December 2008, 82 percent had at least one issue of high, critical or urgent severity.

Main WAF Attributes

The web application firewall market is still undefined, with many dissimilar products falling under the WAF umbrella. "Many products provide functionality above and beyond what one would consider a firewall," says Ramon Krikken, research analyst at Burton Group. "This makes products hard to evaluate and compare." In addition, new vendors are entering the market, by expanding existing non-WAF products into the integrated segment.

Here are the attributes that a WAF should have, according to a list provided by Ofer Shezaf, founder of research and consulting firm Xiom:

Have intimate understanding of HTTP. WAFs need to fully parse and analyze HTTP to be effective.

Provide a positive security model. A positive security policy allows only traffic known to be valid to pass through. Sometimes called "whitelisting," this provides an external input validation shield over the application.

Application-layer rules. Because of the high maintenance cost, a positive security model should be augmented by a signature-based system. But since Web applications are custom-coded, traditional signatures targeting known vulnerabilities are not effective. WAF rules should be generic and detect any variant of an attack, such as SQL injection.

Session-based protection: One of the biggest downsides of HTTP is the lack of a built-in reliable session mechanism. A WAF must complement the application session management and protect it from session-based and over-time attacks.

Web Application Firewall Selection Criteria

Very few false positives (i.e., should never disallow an authorized request);

Strength of default (out-of-the-box) defenses;

Power and ease-of-learn mode;

Types of vulnerabilities it can prevent;

Ability to keep individual users constrained to exactly what they have seen in the current session;

Ability to be configured to prevent specific problems, such as emergency patches;

Form factor: software versus hardware (hardware generally preferred).

Prime Considerations for Web Application Firewalls

WAFs versus source-code scanning. WAFs protecting applications in real time (rather than fixing them) has ignited criticism in the past. Some vendors are wary of the term "WAF," preferring instead "application awareness" or "application-layer intelligence," Kelley says. Today, however, a growing consensus seems to be that, implemented correctly, WAFs can serve as an important part of a layered security model, as they provide protection while you repair application vulnerabilities.

As Jeremiah Grossman, founder of WhiteHat Security, argues on his blog, there are far too many vulnerabilities to keep up with remediating them in the code itself. He advocates that vulnerabilities found through an assessment be imported as customized rules into a WAF, providing an option to mitigate now and remediate the source of the problem later.

Gartner, on the other hand, advises customers to consider techniques for removing application vulnerabilities. "Before you spend your first dollar, consider whether you're in a position to remove vulnerabilities through a stronger system development lifecycle and by using tools such as source-code scanners," Young says. WAFs are useful for applications that are difficult or impossible to change, or those that are very dynamic, he says.

For most companies, "it's sufficient to choose one or the other approach," he says, although there is a small percentage of companies whose risk tolerance is so low that they'll want to use both.

Hardware appliance versus software. For Jack Nelson, IT director of global network services and operations at Jarden Consumer Solutions, a big reason for choosing the Check Point Software Technologies VPN-1/FireWall-1 gateway with integrated Web intelligence technology was that it was available in both configurations. Jarden has remote offices that are not staffed by IT workers, so Nelson uses the software-based version to make it simple for office managers to reconfigure any PC to become a WAF if the existing WAF goes down. "It's a lot more flexible than having to purchase a second firewall, and it's less expensive than paying for quick-response maintenance," he says. The interface is simple enough that it doesn't require a firewall expert, he says, and licensing is key-based, so you can apply it remotely.

In a couple of small offices in North America, Nelson uses the Check Point appliance because he finds it more manageable and support is more available.

Inline or out-of-band deployment. It's critical to decide up front whether you plan to deploy the WAF inline or out-of-band, as not all WAFs support both modes. "I often see short lists that consist of products with different deployment modes, or lists where none of the products would support the design being envisioned," Young says.

WAF DO's and DON'Ts

DO understand the difference between stand-alone and integrated products. It's important to understand the difference between vendors that incorporate WAF capabilities into their existing application delivery and network security products versus those that specialize in application security. Deciding which is right for you depends on many factors, including what you've got installed already, the level of security you need and whether you're more comfortable with specialized products or those with broad functionality.

Krikken notes that products focusing on application delivery need to perform at wire speeds and thus don't include compute-intensive capabilities such as learning engines and session awareness. "They're very much limited to black-listing and white-listing and inbound/outbound inspection," he says. Learning engines enable the WAF to learn the behavior of an application and generate policy recommendations. Session awareness enables the WAF to build dynamic, session-based rules in real time and use those to determine whether subsequent requests are valid.

For Nelson, who is using Check Point's integrated product for the company's virtual private network and external Web applications, it was important that the product handle a breadth of security components rather than an application-specific firewall. "We wanted the ability to consolidate functionality without sacrificing performance and manageability," he says.

Meanwhile, at automotive parts supplier AutoAnything.com, which is using Breach Security's stand-alone WAF to secure e-commerce, CTO Parag Patel takes the opposite approach. "It's rare that one company can do a lot of things well," he says.

DON'T consider the WAF a silver bullet. Many companies are turning to WAFs for PCI compliance. However, analysts warn against seeing a WAF as a check-off item.

"I see a lot of mistakes and bad spending going on," Young adds. "People think, If we buy a firewall, the auditors will go away,' but that's not good enough in this area. You have to customize your application defense to fit your environment."

DO look beyond traditional WAF functionality. While the traditional WAF customer is the security team, many products are becoming attractive to a wider audience, thanks to analysis features, single-sign-on support and integration with Web services security, Krikken says. That's why he advises that WAF evaluation should include those responsible for enterprise architecture, application delivery and software development. "This will improve confidence in the security aspects of the solution, as well as alleviate availability and performance concerns," he says.

At a global energy company, in fact, the decision to use a WAF followed the need for a security service for the company's service-oriented architecture (SOA) implementation. The chief architect at the company decided on the Reactivity XML accelerator security device, which was later bought by Cisco Systems, which turned it into the ACE WAF. When the energy company determined that it needed an Internet-facing WAF, Cisco assured it that it could double-up on the use of ACE for both its internal SOA needs, as well as for securing its Web applications. (See also SOA Security: The Basics.)

DO consider the WAF for performance monitoring. Application monitoring is one nontraditional use for WAFs that's growing in popularity, as WAFs are able to detect performance issues or whether the application is serving up error pages because of broken links.

DON'T think it's set-and-forget. While you can use out-of-the-box blacklist rules for basic security, Krikken says, be prepared to invest ongoing time and effort for all but the most simple Web applications. "Even with rule templates and learning engines, initial tuning and ongoing customization will often be required to optimize effectiveness and reduce false positives," he says.

At the global energy company, the chief architect says his company was able to configure one use case in two hours with the Cisco WAF. However, he would like more best practices guides for configuring things like character filtering "rather than us scrambling to do this."

DO consider a learning engine feature. With a learning engine, the WAF learns about applications so it can create and even enforce rules. In very dynamic environments, Krikken says, it's better for the WAF to alert you to aberrant behavior than block it.

Patel uses Breach's learning engine, which he says profiled Web applications over a couple of months. During that time, it flagged irregular behavior, which his team reviewed. "You need a certain level of comfort that it's going to make the right decisions," he says. Over time, however, Patel wanted automated blocking. "With the amount of traffic we get on the site, it's key that the WAF recognizes irregularities and shuts down those attempts while they're happening, rather than later on," he says.

For instance, the WAF now stops competitors from scraping product data from the website, which includes millions of SKUs, as well as pricing information. "If we see someone is checking data weekly or monthly, that represents a huge loss of competitive intelligence," Patel says.

DO consider enterprise-level capabilities. Jarden's Nelson chose Check Point's product in part for its enterprise-level console, which provided centralized management for all of Jarden's firewalls. He particularly likes that he can group the firewalls into what's called "containers" and apply different policies within those containers.

Meanwhile, the security-messaging engineer at a nutritional supplements manufacturer says a big advantage of the Barracuda system he uses is its scalability. The company's main motivation for a WAF was to provide a secure Web mail interface to users who wanted to access e-mail from around the world. It also uses it to protect against application-layer attacks.

The security engineer wanted to provide users with a single URL to access e-mail no matter where they were, and he wanted to be able to scale up the system without interruption. Because he can add an additional WAF appliance without giving it a new IP address, it's transparent to users. "If it starts being overloaded, all we have to do is get another one, put in a rack, cluster it with this one and we've got twice as much capacity," he says.